"You still use the password after all" - Exploring FIDO2 Security Keys in a Small Company

Page created by Diana Lawrence
 
CONTINUE READING
"You still use the password after all" - Exploring FIDO2 Security Keys in a Small Company
“You still use the password after all” –
                           Exploring FIDO2 Security Keys in a Small Company

              Florian M. Farke                                  Lennart Lorenz                      Theodor Schnitzler
            Ruhr University Bochum                         tracekey solutions GmbH                Ruhr University Bochum
                                     Philipp Markert                               Markus Dürmuth
                                  Ruhr University Bochum                        Ruhr University Bochum

                             Abstract                                         Phishing attacks become more and more sophisticated, lead-
The goal of the FIDO2 project is to provide secure and usable                 ing to often transparent and nearly indistinguishable imita-
alternatives to password-based authentication on the Web. It                  tions of valid authentication requests [3, 27].
relies on public-key credentials, which a user can provide via                   Many alternatives have been proposed, but their usage is
security tokens, biometrics, knowledge-based factors, or com-                 minimal [5]. Biometric schemes such as fingerprint or face
binations. In this work, we report the results of a qualitative               recognition are regularly used to unlock phones, but they
study accompanying the deployment of FIDO2-enabled secu-                      are not used for remote authentication. Authentication with
rity tokens for primary authentication in a web application of                hardware tokens, typically in the form of two-factor authenti-
a small software company operating in the life sciences indus-                cation (2FA) combined with a knowledge-based scheme like
try. We assisted the company in implementing and setting up                   passwords, provides high security, but distributing and manag-
FIDO2-enabled authentication on its public test and evalua-                   ing the hardware keys can become a great hurdle. 2FA using
tion server. Over four weeks, we observed the authentication                  possession-based factors such as smartphone apps or SMS
routine of 8 employees out of 10 employees regularly using                    tokens as a second factor is less secure, yet easier to set up
the web application, including sales representatives, software                and manage, but has only found limited adoption (e.g., less
developers, project managers, and account managers. We                        than 10 % of active Google accounts use 2FA [18]).
gathered data through login diaries, server logs, and semi-                      The FIDO2 project, including both the Fast IDentity On-
structured interviews to assess themes regarding usability,                   line (FIDO) Alliance [13] – an industry association – and
perceived security, and deployability. We found that partici-                 the World Wide Web Consortium (W3C) [29], aims at offer-
pants had several concerns, like losing the security token and                ing an alternative to password-based authentication that is
longer authentication times, while the security benefits were                 both usable and secure. It consists of two main components:
largely intangible or perceived as unnecessary.                               the Client to Authenticator Protocol 2 (CTAP2), governing
                                                                              the communication between the client and (external) authen-
                                                                              tication hardware, and the Web Authentication (WebAuthn)
1   Introduction                                                              specification defining the server-facing API on the client.
                                                                              WebAuthn became an official web standard in March 2019,
User authentication by username and password is still the
                                                                              and several browsers (e.g., Google Chrome, Mozilla Firefox,
most dominant method on the Internet and remote authentica-
                                                                              and Microsoft Edge) support it already.
tion in general. However, password-based authentication has
many usability and security flaws, and researchers and practi-                   FIDO2 promises a largely improved authentication experi-
tioners have been discouraging from using it for decades [5].                 ence and is backed by several big companies, like the Alibaba
On the Internet, passwords are prone to phishing attacks.                     Group, Amazon, Apple, Facebook, and Google. Thus, it is
                                                                              very interesting to understand the likely impact it can have in
                                                                              practice, including aspects of deployment and usability.
                                                                                 In this work, we present our experience with deploying
                                                                              FIDO2 in the context of a company. We report on a four-week
                                                                              evaluation phase in which we accompanied the deployment in
Copyright is held by the author/owner. Permission to make digital or hard     a life sciences company. Eight voluntary participants used a
copies of all or part of this work for personal or classroom use is granted   FIDO2-based authentication scheme on a daily basis and kept
without fee.
USENIX Symposium on Usable Privacy and Security (SOUPS) 2020.                 login diaries, which we combined with server logs, a survey,
August 9–11, 2020, Virtual Conference.                                        and semi-structured interviews after the four weeks.
To use the FIDO2-based authentication method, we gave             2    Background
the participants security keys (USB-based hardware tokens)
and guided them through the setup. The security keys could           The FIDO2 project has a more general and thus flexible
be used as a full-fledged alternative to username and password       approach to user authentication than its predecessor, the
in one of the company’s software products. We used security          Universal 2nd Factor (U2F) standard, and other authentica-
keys because they are relatively inexpensive and were com-           tion schemes. Compared to other 2FA/multi-factor authen-
patible with all computers the participants used at work. In         tication (MFA) approaches, the advantages of FIDO2 are
particular, we were interested in:                                   (i) growing support by all major browser and operating sys-
   • How do users behave when they have a security key as            tem vendors, (ii) open and standardized protocols, (iii) mak-
     an authentication alternative to username and password          ing authentication via username and password not mandatory
     and not only as a second factor?                                (although it is still possible), and (iv) building upon vetted
   • Do users use the security key in their daily routine?           asymmetric cryptographic principles and algorithms.
   • What differences do users identify between the authen-             The FIDO2 project consists of the WebAuthn specifica-
     tication schemes, especially do they perceive the new           tion of the W3C [4] and the Client to Authenticator Proto-
     method as more secure?                                          col (CTAP) defined by the FIDO Alliance [6]. FIDO2 allows
   • What advances or hinders the adoption of the new secu-          abstracting from the actual authenticator (e.g., a hardware
     rity key-based mechanism?                                       token). Thus, the Relying Party (e.g., a web server) does not
                                                                     require knowledge about the implementation details of the
   We learned that even though the participants liked using          authenticator. Figure 1 depicts the interplay of CTAP2 and
the security key-based authentication scheme, they tended            WebAuthn as we used it in our study.
to fall back to username and password. On the one hand,
                                                                        WebAuthn specifies a standardized, browser-independent
this is because participants do not want to abandon a habit
                                                                     JavaScript API that allows web services to interact with all
when there is no apparent necessity in doing so. On the
                                                                     sorts of facilities. Through this API, web services can imple-
other hand, they fear to lock themselves out when losing or
                                                                     ment user authentication in a way that is resilient to phishing,
breaking the security key. Participants who use a password
                                                                     password theft, and replay attacks. Instead of relying on
manager with an auto-fill feature of a web browser also report
                                                                     shared secrets like passwords, public-key cryptography is
that the authentication with the security key takes longer in
                                                                     used to create unique credentials for every web service and
comparison. In contrast, the participants assumed that the
                                                                     only generated and stored on the client’s device.
keys were providing a better security level, although they did
                                                                        On the other hand, CTAP2 governs the communication
not fully comprehend the authentication procedure’s technical
                                                                     between external authenticators and web browsers or other
details.
                                                                     applications supporting WebAuthn. The proposed CTAP stan-
   Our qualitative study is a first attempt to explore FIDO2 in      dard comprises two protocol versions – CTAP1, the protocol
a business environment and sheds light on which problems             used for U2F, and CTAP2 a new protocol used for WebAuthn.
arise when deploying FIDO2. In summary, we make the                  At the time of the study, implementations for the operating
following key contributions:                                         systems Android and Windows 10 were available.
   • We explore a passwordless web authentication scheme                The FIDO Alliance uses the term “passwordless” to de-
     rolled out as the first authentication factor in a real-world   scribe single-factor authentication and multi-factor authenti-
     application.                                                    cation with an authenticator or with an authenticator and a
   • We provide insights into the daily usage of security keys       personal identification number (PIN) or biometric. While it is
     in a company environment over four weeks by combin-             easy to agree with, for example, hardware tokens as a single
     ing login diaries, server logs, and interviews. The data        factor being passwordless, this is not inevitably the case if
     indicate that participants liked the passwordless authen-       additionally a PIN is used as a second factor. Although simi-
     tication scheme because of its simple usage, yet from           lar to a password, a FIDO2 PIN has some notable differences
     the users’ perspective, there is no clear advantage over        compared to passwords in the context of web authentication:
     password-based authentication. The positive impression              • No shared secret has to be entered, sent over network,
     of the security keys is less pronounced if participants               or store on the server-side. Phishing attempts and data
     previously used password managers that already limit                  breaches do not affect the authenticity of the credentials.
     some negative aspects of password-based authentication.             • A single PIN unlocks the authenticator and all account
   • Analyzing the participants’ feedback, we identify a set               credentials registered with the device. There is no need
     of adoption barriers, including the fear of getting locked            to set a unique password for every web service.
     out, a cumbersome integration of the security keys in the           • Guessing or brute-forcing the PIN is limited to eight
     work environment, and the general routine in using pass-              consecutive attempts. Reaching this limit resets the au-
     words. Those barriers should be minimized before intro-               thenticator to factory settings, effectively invalidating all
     ducing new security measures in work environments.                    generated credentials [6].
Figure 1: Communication via FIDO2. The cryptographic authenticator and the client communicate via USB using CTAP2. The
client’s browser implements the JavaScript-based Web Authentication API to communicate with the server over the network.

3     Methods                                                            Following tracekey’s three-week release cycles, the secu-
                                                                      rity key-based authentication method was developed on an
Our study’s primary goal was to gain insights into the usabil-        internal test server and pushed to the public test and validation
ity, user perception, and barriers or facilitators for the adoption   server before the study started. The test server was accessed
of FIDO2. To increase ecological validity, we conducted the           regularly by tracekey employees and customers. Due to a
study on a web application in a small software company in             delay in the release process, the new authentication method
the life sciences industry. We collected and analyzed quali-          was available on the production server only in the last week
tative data in the form of login diaries and semi-structured          of the study (see Section 5.5).
interviews, but also quantitative data in the form of server             The participants used two variants of FIDO2-compliant
logs.                                                                 hardware tokens, the Security Key by Yubico and YubiKey 5
                                                                      NFC, both from Yubico [30]. Both variants had the same form
                                                                      factor and supported WebAuthn, CTAP, and U2F. YubiKey
3.1    Study Environment                                              5 NFC offered additional features (e.g., support for OTP algo-
                                                                      rithms, OpenPGP, etc.) and could also be used via NFC. We
We conducted our study at tracekey solutions GmbH,1 a small           did not require any of the additional features so that both key
software company from Bochum (Germany). As a software-                variants could be used in the same way.
as-a-service provider, they develop and operate a product
serialization service for small and medium-sized businesses
                                                                      3.1.1   Recruitment
in the pharmaceutical industry. The service offers a solution
to fulfill the traceability requirements of this industry [12].       We asked all employees who were eligible for our study (i.e.,
   The service includes a web application that requires cus-          having accounts on both the public test server and the produc-
tomers and employees to authenticate with a username and              tion server, using the web application on a daily basis, and
password. For our study, we extended the existing login form          being available at the time of the study). We invited the 10 em-
and authentication back end and added a new login option              ployees who fulfilled these criteria to an in-house workshop,
using WebAuthn with a roaming hardware token.                         in which 9 attended. During the training session, we briefed
   We decided only to allow PIN-protected security keys (in           the attendees about the purpose of the study, the procedure,
contrast to Lyastani et al. [17]) because some participants           risks and benefits, and the option to withdraw from the study
occasionally worked remotely, and losing the security key             at any time without penalty. We asked them to read and sign a
was a realistic scenario. However, this may have reduced              consent form containing the same information. Participation
the comfort of using the key (see Section 4.3). The company           was voluntary and uncompensated since they took part in the
had an authentication policy for its software that required           study during working hours.
re-authentication after 30 minutes of inactivity. Due to this            We informed the participants about the required operating
policy, we did not consider adopting a “remember me” option,          system and browser version. The minimum requirement was
which does not ask the user to authenticate for a particular          Microsoft Windows 10 version 1903 because it implemented
time after a successful login on a device. We did not imple-          CTAP2 in Windows Hello. The participants used Mozilla
ment any fallback authentication procedure for the security           Firefox, Microsoft Edge, and Google Chrome. Of those three,
key because the participants could still use their passwords,         only the stable version of Chrome did not support Windows
and manual account recovery was also a viable option.                 Hello at the time of the study. We asked participants who
                                                                      used Google Chrome to switch to one of the other browsers
1 https://www.tracekey.com/,   as of April 30, 2020                   or the beta version of Google Chrome.
3.1.2   Implementation                                             It is important to highlight that we are specifically targeting a
                                                                   corporate context, where such training sessions are relatively
We used a server-side WebAuthn library provided by Yubico
                                                                   common. This situation is very different from introducing
to implement the new FIDO2-based authentication. This
                                                                   WebAuthn to consumers.
library was integrated because the Spring Security framework
                                                                       After the training session, participants were handed the
used by the web application did not support WebAuthn at the
                                                                   security keys and asked to set up the key on their work laptop
time of the study.
                                                                   computer and one of their accounts in the web application.
   To implement the login, we used the resident credential
                                                                   Since most of the participants had multiple accounts for the
feature of FIDO2. This feature allows storing credential infor-
                                                                   web application, we encouraged them to register it with addi-
mation like the username and private key on any authenticator
                                                                   tional frequently used accounts and assisted them if necessary.
with built-in memory. The participants did not need to enter
                                                                       At the end of the workshop, participants filled in a question-
their username because of this feature.
                                                                   naire in which we gathered demographic data and feedback
   In addition to this, we redesigned the login screen of the
                                                                   on the user interface and workflow of the implementation. We
web application (see Step 1 of Figure 2) to present both login
                                                                   were especially interested in participants’ knowledge about
methods (i.e., WebAuthn with security key and username and
                                                                   web authentication and used a modified version of the web-
password). We decided to display both options on the same
                                                                   use skill index of Hargittai and Hsieh [14] for this purpose,
website to allow participants to choose between them without
                                                                   focusing on authentication-related terms. We also gathered
additional clicking on the website.
                                                                   free-text responses about the participants’ experiences with
                                                                   security keys and 2FA, and asked them to explain how a
3.1.3   Data Preparation                                           security key may improve the security of their account.
At that time of the study, not all browsers stable versions
supported the WebAuthn options used by our FIDO2-based             3.2.2   Authentication Diary
authentication like user verification (i.e., via PIN) and res-
ident keys (i.e., the username is chosen from a list instead       Over the next four weeks, the participants’ task was to use
of manually entered). Thus, most WebAuthn related errors           the security key in their work routine. Additionally, we en-
could be attributed to the use of an unsupported browser.          couraged them to keep an authentication dairy in which they
   We removed entries of accounts without a registered se-         noted all logins over the first two days, and later only their
curity key from the logs before the analysis, leaving logs         failed login attempts. We adapted the diary from the work of
containing entries of study participants or failed logins, which   Steves et al. [26]. Each diary entry comprised authentication
we could not attribute. The information provided by the times-     time and date, on which server the participant tried to log
tamps of each login attempt was used to calculate average          in (e.g., the public test server) and whether the participants
authentication times for the different login types aggregated      used the security key or username and password. They could
across all participants (see Figure 4).                            also rate their satisfaction with the login on a five-item emoji-
                                                                   based scale we adapted from previous work [2, 20]. Despite
                                                                   their potential drawbacks (e.g., varying representations of the
3.2     Study Protocol                                             same emotion [19]), emojis were found to be well suited for
The study was conducted over six-week in June/July 2019 and        affective self-reports of participants [28]. Furthermore, each
was framed as a usability study on security keys. It consisted     diary entry had a section for errors and comments.
of three phases. The first phase was a workshop in which we           To enrich the authentication diaries and to get insights into
briefed the participants on using the security key. It followed    how long it took the participants to authenticate, we also col-
a four-week phase of day-to-day use of the security key during     lected the timings of each login from the server logs. Each log
which we collected data via authentication diaries and server      entry contained multiple timestamps, username, user agent,
logs. Finally, we interviewed the participants to discuss their    WebAuthn-related information (e.g., the WebAuthn creden-
experience using the security key and debrief them.                tial ID or the WebAuthn error message), and information
                                                                   about the login’s success or failure. Especially in the case of
                                                                   failed login attempts, the logs provided additional insights.
3.2.1   Initial Workshop
We started the study with a one-hour workshop. During this         3.2.3   Interview
workshop, we first introduced the study as well as its purpose.
We gave all participants consent forms, which also contained       After the four-week usage phase, we invited the participants
information about our study and their participation, and let       to interviews. The interviews took place in a conference room
them read and sign the form. A fifteen-minute training session     in the company, and each session lasted 15 to 20 minutes.
introduced the security key, demonstrated the setup and use        All but one participant were German native speakers, and we
of the key, and showcased the user interfaces of each phase.       conducted seven interviews in German and one in English.
1) Visit Website     A2) Insert Key       A3) Enter PIN          A4) Touch Key        A5) Select Account
WebAuthn Security Key

                               or
  Password Auto-Fill

                        1) Visit Website   B2) Click Username   B3) Select Account       B4) Click Login

Figure 2: Comparison of the login procedures when using WebAuthn with a security key (top) vs. the browser’s password
auto-fill feature (bottom). The dashed borders are indicating omitted steps. If the security key is already plugged-in, the dialog in
Step A2 does not show up. Having only one account stored on the key or in the browser, skips steps A5, B2, and B3.

   The interviews were semi-structured and addressed the per-              They then compared the categories and themes across all in-
ceived usability of the security key, the differences between              terviews and created codes. A third researcher merged the
the key-based and password-based authentication, and the                   themes and codes, derived a final codebook, and used it to
obstacles in using the key. Our goal was to examine why                    code all interviews again. The full codebook is presented in
participants used the security key and what kept them from                 Appendix B.
using it. The participants were also asked which of the two
login methods they perceived as more secure.
                                                                           3.3       Demographics
   We started each interview with a question about how they
liked using the security key. The participants’ answers gave               Since we conducted our study in a small company, the partic-
us insights into their general impression of the security key              ipants had different backgrounds and positions. They were
and their experience of using it. We then asked them how                   software developers, sales representatives, or project man-
frequently they used the web application and how often they                agers. One-third of the participants were female (3 out of 9)
used the key over the last four weeks. The participants were               and the other two-thirds were male. The participants were 22–
also asked to describe the difference between username pass-               44 years old (mean: 30, SD: 6.3). Five (out of 9) participants
word and security keys. If they mentioned 2FA, we let them                 had completed a master’s degree, one holds a bachelor’s de-
explain what 2FA is and what the two factors are.                          gree, and two had studied at a university without completing a
   Additionally, we asked them to share their thoughts on                  degree. One had completed a vocational training. All but one
which authentication method is more secure and their ratio-                of the 9 people who attended the workshop completed the full
                                                                           study. The person who dropped out was on vacation during
nales. The full interview guide can be found in Appendix A.2.
                                                                           the second phase of the study and could not use the security
   In contrast to password-based authentication, our posses-               key. Nevertheless, we included this person’s feedback from
sion-based method required the user to have the security key               the workshop in our evaluation.
with them. Thus, we wanted to know how hard it was to
have the key at hand for the participants since this was the
most obvious hurdle. However, we encouraged them to tell                   Web Authentication Skills
us about other obstacles they encountered as well. Finally, we             To examine the participants’ knowledge about web authenti-
asked them whether they would use the key in the future and                cation, we adjusted the Web-use Skill Measure [14] to focus
for the reasons for their decision.                                        on web authentication, resulting in a skill survey containing
   To analyze the interviews, we used a data-driven coding                 ten authentication-related terms. We selected surveyed items
technique (as described in [10]). Two researchers indepen-                 from security awareness trainings, education materials, and
dently coded all interviews through categorizing participant               infographics, including the NCSC glossary [22]. Table 1
statements and identify recurring themes in each interview.                shows the mean and standard deviation for all ten items.
Table 1: Web authentication skills are determined by rating       4     Results
the understanding of ten authentication-related items. The
items are in the order of appearance in the questionnaire.        Next, we present and discuss the results of our study. We
                                                                  evaluate the data we gathered through login diaries, server
Item                                         Mean         SD      logs, and interviews.
Malware                                        3.1        0.74
Phishing                                       3.3        0.94    4.1    Frequency of Authentication
Two-factor authentication                      3.4        0.69
One-time password                              2.5        1.26    Among the participants, the number of logins per day varied.
Personal identification number                 4.2        0.63    Some participants logged into the web application multiple
Auto-fill                                      3.2        1.55    times a day, while others only used it once a week or less. Fig-
Challenge-response                             1.8        1.23    ure 3 shows how often the participants used the security key
Password manager                               3.9        0.99    over the four weeks of the study broken down by participant
Brute-force attack                             2.4        1.43    and week of the study.
Security question                              4.0        0.82
Composite score                                3.2        0.73
N                                              9
Scale                                          5-point
Cronbach’s α                                   0.89

   The standard deviations were higher for items with a lower
level of understanding (e.g., One-Time Password) than for
items with a “high-level” understanding (e.g., personal identi-
fication number). These low-level items refer to more tech-
nical aspects of authentication. In contrast to the results ob-
tained by Hargittai and Hsieh [14], our participants showed a
higher understanding of the medium-level rated terms Mal-
ware and Phishing, indicating that the participants had an
excellent understanding of authentication-related risks. A
composite score of 3.2 indicates that the level of understand-    Figure 3: Breakdown of the number of authentications with
ing lay between “some” and “good” understanding.                  the security key per participant and week. Except for partici-
   A Cronbach’s α value of 0.89 as an estimate of the inter-      pant P8, all participants used the security key only occasion-
relatedness of items and internal consistency of the survey       ally.
can be considered good, almost excellent. Due to the small
sample size, statistical evidence is limited. However, the re-       The reason for this discrepancy is that we conducted our
sults met our expectations because all participants worked in     study on the public test and evaluation server of the web
a software company and reported to be tech-savvy.                 application, which all the participants use but less often than
                                                                  the production server (see Section 5.5). We analyzed the
                                                                  server logs to gain insight into how often the participants used
                                                                  security keys. Table 2 presents a detailed breakdown of how
3.4    Ethics                                                     many times the participants logged into the web application
                                                                  during the four weeks of the study.
Our institution did not have a review board governing this           For our analysis of the server logs, we filtered all log en-
type of study, so we discussed the study design with peers        tries in which the WebAuthn method or the usernames of our
to validate our research’s ethical perspective. We made sure      participants were involved. After the filtering, we had 287
to minimize any potential adverse effects from the study by       unique logins attempts over the four weeks. Surprisingly,
following the ethical principles laid out in the Belmont re-      only 67 (23.4 %) of these login attempts used a security key
port [21]. These principles included having an informed con-      while 141 of the remaining 220 login attempts used browser
sent procedure at the beginning of the study and explaining       auto-fill (i.e., browser password manager). We discuss this
to the participants that they could withdraw from the study       discrepancy in the number of logins in Section 4.4 in more
without any negative consequences.                                detail.
Table 2: Breakdown of successful authentications per ac-              Our warm-up question in the interviews was how they
count, participant, and authentication method. Most of the         liked using the security key. Four participants appeared to be
participants registered their security keys for at least two ac-   pleased about using the security key since they described the
counts. Four participant pairs shared five accounts; for these     key as easy to use and its handling as intuitive. One participant
accounts, we cannot distinguish which login belongs to which       was even enthusiastic when talking about impressions of the
participant. Manual logins contain all login attempts for          security key.
which the participants typed in the username and password
manually or copied them from an external password man-                   P2: “I don’t need to remember anything. It’s also
ager/storage.                                                            faster, I am completely convinced. I think it’s ter-
                                                                         rific.”
                           Number of Authentication
                                                                    The four other participants started referring to minor issues
                      Security Password        Manual               which occurred when they used the key (e.g., being annoyed
Account     IDs           Key Auto-fill        Logins Total         by touching the key because “it is on the other side of the
A1          P1                4           7          10     21      desk” (P7)), two of which still rated its usage to be overall
A2          P1, P3            2           3           4      9     “ok” (P3, P5). The remaining two participants stated they did
A3          P2                1           0           0      1      not use the key as often as intended and did not provide a
A4          P2                2           1           0      3      clear judgment.
A5          P2                1           9           7     17
A6          P2, P4            2          33           3     38     4.3    Authentication Timings and Convenience
A7          P2, P4            5          30           2     37
A8          P3                2           4           5     11     During the interviews, the participants revealed that their
A9          P3                2           0           1      3     convenience in authenticating varied in many aspects. In
A10         P3                1           2           3      6     particular, their feedback on convenience using the security
A11         P3                1           4          13     18     key highly depended on how they managed their password-
A12         P3, P4            9           6          12     27     based credentials since this was their ground truth against
A13         P5                0          20           2     22     which they compared the new method.
A14         P5                5           6           8     19         We encountered three different ways of managing pass-
A15         P6                4           9           3     16     words: (i) The employees used a collaboration software where
A16         P6, P8            3           5           2     10     they stored their shared credentials and copy-and-pasted them
A17         P7                2           0           3      5     into the respective login website, (ii) they saved their pass-
A18         P8               21           2           1     24     words using a third-party password manager software, or
                                                                   (iii) they used the browser’s built-in password manager.
Total                        67         141          79    287         Five participants (P1, P2, P4, P5, P8) mentioned that the
                                                                   security key reduced the memory effort because they only
                                                                   needed to remember one PIN. Two participants who manually
   To analyze login attempts with security key, we used the        copy-and-pasted passwords (P2, P3) stated that using the
authentication diaries and the interviews. Participant P1 faced    security key was faster than entering username and password.
a problem where the touch sensor of the security key (see
A4) Touch key in Figure 2) did not work at first, so he needed           P2: “[...] but it is much more convenient if you can
multiple tries until the login was successful. Participant P8            simply use this key, push it, enter your 4-digit PIN
reported a similar problem. In this case, the software detected          instead of your 12-character password [...]. It is
the security only after plugging it in again. Figure 2 shows             also faster like this.”
the respective step labeled A2) Search/insert key. The other
six participants reported no security key-related problems.            In contrast to these two participants, five participants used
                                                                   browser built-in password managers with a password auto-
4.2     General Impressions                                        fill feature and stated that the authentication with auto-fill
                                                                   required fewer steps than using the security key (P4, P6, P7)
We started the interviews asking by participants about their       or was faster (P5, P6, P7, P8). The timings we extracted from
general impressions using the security key over the four-week      the server logs support their statements. We measured the
study period. The themes we found in our analysis of the in-       time starting when the login website was fully loaded and
terviews resulted in five categories of codes (cf. Appendix B):    ending when the login form was submitted to the server for
(i) Use of the security key, (ii) comparison of the security key   each authentication attempt. Figure 4 presents the timings of
with username and password, (iii) adoption barriers, (iv) gen-     the different login variants. It shows that the security key was
eral impression, and (v) perceived security.                       slower than the password auto-fill feature of a browser.
For authentication attempts using the security key, we could       Another participant referred to the use of the 2FA-protected
not determine whether the measured times include the time          third-party password manager and preferred using the security
to reach for and plug in the security key or if it were already    key because it was less cumbersome.
plugged in before plugged in before. We expect our result
set to comprise both scenarios. However, since we consider               P5: “In comparison I think that the key is more
physical interactions with the security key part of the authen-          user-friendly, it requires less effort than invoking
tication ceremony, our results provide a best-case estimate. If          both WinAuth and KeePass.”
the measured times had not included preparing the key, the
gap compared to the password auto-fill timings would have
become even larger.
                                                                   4.4     Weighing Security and Purposes
   Figure 2 illustrates the steps required to log in with the
key compared to the browser’s auto-fill feature. Using the         During the interviews, participants indicated awareness of
security key requires three steps in a best-case scenario. This    different security requirements for different services. We
scenario requires that the key is already plugged into the         unveiled such tendencies when asking participants about the
computer (Step A2), only the security key is configured for        purposes they had used the security key for. Getting a full
Windows Hello (Step A2), and only one account is registered        view is a two-step process since we also needed to capture
for the key (Step A5). The three steps are (i) clicking the        how the participants estimated the security of the available
login button beneath the security key symbol (see Step 1),         authentication options.
(ii) entering the PIN of the security key as shown in Step A3),
and (iii) touching the key (see Step A4).
   In contrast, the credential auto-fill via browser requires      4.4.1   Security of Authentication Schemes
at best (with only one username-password pair stored in the
browser for the website) one click on the login button, as         While six participants (P3–P8) rated the security key as more
shown in Step B4. Otherwise, the user needs to click the text      secure than the password-based authentication schemes, par-
field for the username (Step B2) and select the desired account    ticipant P1 guessed that the password copy-and-paste mecha-
(Step B3). In both cases, the auto-fill procedure requires fewer   nism is presumably more secure than the security key. How-
steps and no physical interaction with additional hardware,        ever, he mentioned the risk of losing the key and, conse-
which explains why it is the faster authentication procedure.      quently, becoming unavailable to log in, as a reason for the
                                                                   key’s reduced level of security.

                                                                         P1: “I guess you can use such a security key, and
                                                                         how do you log in if you don’t have it? [...] So, I
                                                                         believe the standard way [i.e., using passwords] is
                                                                         maybe more secure? Well, I’m not sure if it’s ‘more
                                                                         secure’ but I can log in in any case [...]”

                                                                      Another participant stated that the security offered a good
                                                                   security level but refrained from deeming one scheme more
                                                                   secure than another. Participants P2, P5, and P8 explained that
Figure 4: Authentication timings for different login vari-         the security of the key-based authentication is more secure
ants. The time spent by participants to authenticate varies        because it relies on “two factors”, i.e., possession of the key
depending on the login type used. (N denotes the mean.)            and knowing the correct PIN. Furthermore, participant P5
                                                                   elaborated his understanding of how the security key works,
   Participant P4 provided the most differentiated feedback,       alleging that the passwords are stored on the key.
taking into account both manually copying and pasting pass-
words as well as using the browser’s password manager when               P5: “It is secure, if I understand correctly, because
assessing the convenience using the security key.                        the passwords are stored on the key and, therefore,
     P4: “I already have the passwords saved in my                       are not affected if I have a compromised machine
     Edge account for all different accounts. So that                    [...]”
     was more convenient for me because it’s hardly one
     click [...] Even if I save something in the browser, it         Even though this explanation is not correct from a technical
     will work that way as well but if you use the security        perspective, the idea of P5 can give non-expert users some
     key it will definitely [be] time saving as well [...].”       useful intuition why the key is more secure than passwords.
4.4.2   Use of the Security Key                                         The time factor was not only important for authentication,
                                                                     two participants (P5, P6) also mentioned that they needed to
In total, three participants talked about different security re-
                                                                     invest time (“5–10 minutes”) to set up the key for an account,
quirements depending on a service’s purpose. Two partici-
                                                                     which implies that even comparably small amounts of time
pants named online banking (P6, P7), another authentication
                                                                     can be an adoption hurdle.
at work (P5) as use cases that require a higher level of security.
   When asked whether they want to keep using the key after               P6: “There is this small initial effort you need to
the study, four participants signaled willingness (P2, P3, P4,            find five to ten minutes for.”
P8), two were not sure (P5, P6), and two did not want to use
the key in the future (P1, P7). Opinions of those who could             Besides the time aspects, participants’ feedback from the
imagine continuing using the key ranged from plain approvals         interviews unveiled further details about additional obstacles
(P2, P8: “yes”) to readiness to use the key exclusively if the       towards the adoption of the security key.
working environment supported this:
                                                                     4.5.1   Fallback Authentication
      P3: “Yes, and if it would work with the production
      server, I would work exclusively using the key.”               Several participants expressed concerns about not being able
                                                                     to log in if they do not carry their keys (P2, P3) or even lose
   However, participants revealed different opinions on ex-          them (P1). Participant P3 further mentioned a potential risk of
tending the use to personal accounts. While one participant          technical flaws, hampering the ability to log in. The majority
claimed willingness to use the key for personal purposes (P2),       of participants had no problems with carrying the key, e.g.,
two participants stated that they would not use a security key       by attaching it to their key rings.
off the job.
   While P4 stated to use a password manager for personal                 P6: “I have it on my [...] key ring. Thus, I have it
accounts, P7 unambiguously explained that the additional                  with me all the time.”
time required to use the key compared to a password manager
is an unacceptable trade-off in everyday use.                          However, this was not a proper solution for every partici-
                                                                     pant. P7 explicitly deemed this a disadvantage and suggested
      P7: “In the time it takes to dig it up, plug it in, enter      providing a solution to attach the key to a smartphone.
      the PIN, and push it – I could have already bought
      two pairs of shoes.”                                                P7: “That’s cumbersome, and I also have quite few
                                                                          keys, and I don’t want to plug them all in.”
  Another participant remained rather indecisive when asked
about using the key for personal use, due to the additional             Potential problems about handling the key were also men-
overhead compared to the use of a password manager.                  tioned by another participant (P2), who feared to destroy the
                                                                     key due to its tiny size and shakiness when plugged in and
      P8: “When you have stored your passwords in your               suggested a more sturdy design.
      browser, it is still faster than picking the key, plug-           These answers show that participants’ views were not lim-
      ging it in and entering the PIN.”                              ited to the scope of the study but also widened for the security
                                                                     key’s general use as a single first authentication factor. Not
                                                                     being able to log in due to losing the key was not a real risk
4.5     Adoption Barriers                                            in our scenario since participants could always choose be-
The authentication diaries and responses in the interviews           tween password-based and key-based authentication during
show that usage rates of the security key were rather low            the study.
(see Section 4.1), so we asked the participants what prevented
them from using the security key in particular situations. They      4.5.2   Workflow and Environment
reported several hurdles when using the key, e.g., the fear
of losing access to their accounts, the additional effort/time       The workflow of the authentication or the work environment
required to plug the key in or unlock it, and the habitual use       can also be an adoption barrier. As discussed in Section 4.3,
of passwords.                                                        the security key requires more interactions for each authenti-
   Participants P5 and P7 mentioned that the additional effort       cation. Participant P6 explicitly mentioned the higher click-
and time to interact with the key makes it less convenient than      count when using the security key (i.e., the Windows Hello
authenticating with username and password.                           user interface) compared to entering the username and pass-
                                                                     word or using the browser’s password manager.
      P5: “Well, it would start to make a real difference
      if I didn’t have to enter anything at all but only had              P6: “The workflow needs to be simple. Like even
      to touch the key.”                                                  faster. Fewer clicks.”
Another participant saw the account selection of Windows              However, our analysis of the interviews and authentication
Hello as a hurdle for adoption.                                      dairies identified three problem areas unique to or more im-
                                                                     portant for the security key as a primary authentication factor:
     P1: “I have 40 accounts or so. When I register the              (i) concerns about account recovery in case of key loss or
     key for all of them and I want to log in then, I need           defect, (ii) having a more complex and possibly slower au-
     to scroll through all of them [...] That’s a little bit         thentication process, and (iii) security benefits are intangible.
     time-consuming.”                                                   Losing access to the account through defect or loss of the
   Two participants indicated that the characteristics of their      security key is the primary concern for users, especially if
work environment made it more challenging to integrate the           it is the only way to authenticate. A possible solution to
key into their routines. For instance, picking an account to         this problem is registering multiple security keys for one
log in when multiple accounts were used on the same website,         account, but this seems to be an additional burden to the
since the names of all accounts followed a naming convention         users. Another option is using username and password as
made them very similar.                                              fallback authentication, but this nullifies the security benefits
                                                                     of FIDO2. The question of how to realize secure fallback
     P3: “I cannot see at first sight to which account               authentication for FIDO2 is still open for future research.
     [the username] actually belongs.”                                  The differences in the timings between the security key
                                                                     and other login methods, as indicated in Figure 4 and also
   Similar, another participant denoted that the login is slightly
                                                                     mentioned by multiple participants, needs to be tested with a
different depending on the operating system and browser (here
                                                                     larger sample. Other authenticators could make “password-
Windows 10 version 1903 and Google Chrome 76).
                                                                     less” FIDO2-based authentication faster and less complex.
     P6: “[...] on my computer the Windows update has                   Even though most participants found the security key to
     not been rolled out yet, so, I could not use Firefox            be more secure than username and password, the reasons
     [...] and [in the other browser] I need to click three          why the key was, in fact, more secure were hard to grasp for
     times and touch [the key] twice to log in.”                     them. More research on how to explain the security benefits
                                                                     of FIDO2-based authentication schemes is needed. In the
4.5.3   Routine in using Passwords                                   following, we discuss our results using the three categories to
                                                                     assess authentication schemes proposed by Bonneau et al. [5].
Considering aspects of introducing and integrating new secu-
rity measures into a well-functioning working environment
raises questions about how to overcome long-established secu-        5.1    Usability
rity behaviors. Participant P7, who showed a generally rather        Our study indicates that the security key is usable in the sense
reserved attitude towards using the security key, remarked           that all the participants understood how to use the key cor-
that routine in handling passwords was a reason not to use           rectly and comprehended the on-screen instructions. The
the security key for authentication, especially in cases when        problems the participants encountered were rare, and they
something needed to be checked quickly.                              could solve all of them.
     P7: “It was not an active decision [to use the pass-               Authentication times appeared to be more of a limiting
     word], but rather a situation when I just had to get            factor. Using the browser’s auto-fill feature was the fastest
     things done. [...] I’m just used to it, because I know          authentication method in our scenario. Even “manual logins”
     the password for this application. [...] It’s like an           (e.g., copy and paste the password) may be faster than using
     addiction. You still use the password after all.”               the security key. This speed difference may be one of the
                                                                     primary adoption barriers.
This statement suggests that deeply ingrained security habits           The level of routine and habituation users developed with
cannot be challenged, let alone be replaced easily, not within       passwords is high. Some interview statements implied that
the four weeks of our study.                                         password-based authentication does not necessarily induce
                                                                     friction but works as an unconscious background process that
5    Discussion                                                      makes it more challenging to get used to a new scheme like the
                                                                     security key. Protecting the key with a PIN also undermines
In contrast to prior work investigating security keys in the         its benefit of allowing “passwordless” authentication.
context of 2FA [8, 9, 15, 16, 24], we focused on a secure au-           Physical aspects and related handling of the key could also
thentication scheme without username and password. From a            be an obstacle. Actions like carrying the security key around,
user perspective, the difference is to have a new authentica-        e.g., by attaching it to a key ring, inserting it, or touching
tion scheme instead of adding steps to a well-known one. The         its button were a hurdle for some participants. However, the
resulting process still suffers from similar issues, as found by     degree of inconvenience appears to depend highly on the
studies on security keys in a 2FA context [8, 16].                   user’s perception and predispositions.
5.2    Deployability                                               5.5    Limitations
WebAuthn support, while increasing, is the biggest deploy-         Due to the qualitative nature of the study and the small sample
ment issue. This lack of support comprises operating systems,      size, it can only provide a first insight into “passwordless” au-
browsers, but also software frameworks to ease integration.        thentication with security keys. Our results may not apply to
Only recent versions of operating systems and browsers work        a broader population but indicate potential interesting topics
with all WebAuthn features, thus requiring web service own-        and raise new research questions.
ers to offer alternative authentication schemes and show ap-          We deployed the new authentication method on a public test
propriate error messages in case of unsupported operations.        server for our study. Although all participants had access to
   Missing best practices on login form design for WebAuthn-       the server and user accounts on it, half of them (4 participants)
based authentication hinders a consistent user experience          mentioned in the interviews that they used the test server less
across different web services. While a typical design has          often than the production system. The low use of the key
emerged for password-based login forms over time, there is         affected how the participants used the security key and might
no such design for WebAuthn. Research on the impact of             have had an impact on the perceived usefulness of it.
such forms is scarce.
   On the other hand, direct costs for hardware or support
                                                                   6     Related Work
and indirect costs through lost productivity are negligible. In
a company with tech-savvy personnel, the expense for the           The FIDO2 project has not been around for a long time, which
adoption of a security key-based authentication (not including     is why research in this specific area is limited. Most related
implementation) should not be too high. As Lang et al. [16]        to our study is the work by Lyastani et al. [17], as it does
showed with a predecessor of U2F and thus FIDO2, the same          investigate the use of tokens for primary authentication in the
can be true for large companies.                                   context of FIDO2. Lyastani et al. [17] conducted a lab study
                                                                   with end-users to get insights into the perception, acceptance,
                                                                   and concerns when security keys are used for passwordless
5.3    (Perceived) Security
                                                                   authentication. Their results conform to ours in terms of
Security is only secondary to usability when choosing an           a mixed impression with an overall positive impression of
authentication scheme in daily work life. If security is not       token-based authentication but also the fear of the participants
promoted as an essential part of work instead of being just an     to lose the token locking themselves out.
obstacle to other tasks, that fact remains [11].                      In contrast to Lyastani et al. [17], we implemented the
   The benefits of the security key, especially when it requires   token-based authentication in combination with a PIN be-
a PIN, need to be conveyed clearly. While creating risk aware-     cause it counteracts one of the disadvantages the participants
ness helps users to make informed decisions, reminding users       in the study by Lyastani et al. [17] mentioned, namely, the risk
of the benefits provided by a scheme seems to be even more         of illegal access when the authenticator is lost. However, this
promising [9].                                                     combination made the workflow more complex, which again
                                                                   can impede adopting the key. Additionally, we concentrate
                                                                   on the long-term and real-world impact of using token-based
5.4    Overcome Adoption Barriers                                  authentication in a corporate context. Through this different
                                                                   focus in the study, we saw that overcoming the routine users
We think that the FIDO2 project can replace password-based         gained in using passwords as an additional adoption barrier.
authentication on the Web in the long run. However, at the            Besides FIDO2, Pico, proposed by Stajano [25], is an-
moment, only a few applications or Internet services sup-          other example of a token-based login method. In a study by
port FIDO2-based authentication, which impedes its adoption,       Aebischer et al. [1], users appreciated the ability to avoid pass-
and the lack of reference implementations of the WebAuthn          words because of the known drawbacks, but adoption was
server-side hinders its integration. These obstacles will proba-   still identified as a problem as users prefer to stick to the fa-
bly resolve over time. To overcome some of the other adaption      miliar password-based authentication. We observed a similar
barriers we found, we have the following suggestions:              phenomenon, among the participants who used a password
   • Support multiple different authenticators (platform and       manager. Although they were convinced that the security
      roaming authenticators if possible);                         key-based solution was more secure, but they preferred the
   • Require adaption of the security key in organizations (as     password managers because they were fast.
      suggested by Colnago et al. [8] for 2FA);                       While we are interested in hardware tokens as a first factor,
   • Make FIDO2-based authentication available for as many         research into 2FA is also related to our work as it gives impor-
      systems as possible                                          tant insights into the use of tokens for authentication. Despite
   • For PIN-protected security keys, allow to “remember”          what factor is used, the initial setup of an additional second
      the PIN until the key is unplugged.                          factor is one of the major issues for most users [7, 15, 23, 24].
A corporate context – in which we were interested in this           Acknowledgments
study – allows counteracting this problem by offering cus-
tomized guidance for the setup phase. Because of this, we           The authors would like to thank tracekey solutions GmbH for
walked the participants through the initial steps.                  allowing them to conduct a study in their company and provid-
   Studies by Das et al. [9] and Ciolino et al. [7] further ana-    ing the necessary software and hardware. This research was
lyzed why users decide not to use 2FA security keys. They           partially funded by the MKW-NRW research training groups
found two main reasons: (i) Users are afraid of losing their        SecHuman, “Human Centered Systems Security” sponsored
key locking themselves out and (ii) some users also do not          by the state of North Rhine-Westphalia, Germany, and the
fear an account takeover, which is why they see no necessity        German Research Foundation (DFG) within the framework
for the additional effort associated with the use of a security     of the Excellence Strategy of the Federal Government and the
key. These findings are supported by adoption rates reported        States – EXC2092 CASA – 390781972.
by Google with less than 10 % of active Google accounts
having 2FA enabled [18]. While these findings are relevant          References
for the end-user, the situation in a corporate context is differ-
ent. Here, the motivation to use security keys is driven by          [1] Seb Aebischer, Claudio Dettoni, Graeme Craig Jenk-
the company, and using them can be made mandatory for the                inson, Katarzyna Kinga Krol, David Llewellyn-Jones,
employees.                                                               Toshiyuki Masui, and Francesco Mario Stajano. Pico in
   Furthermore, it was found that users have an overall pos-             the Wild: Replacing Passwords, One Site at a Time. In
itive attitude towards security keys once they are in place              European Workshop on Usable Security, EuroUSEC ’16,
as a second factor. [7, 9, 24]. They are seen as easy to use             Paris, France, April 2017. ISOC.
and increase the perceived security [8, 16]. We come to a
                                                                     [2] Sarah Alismail and Hengwei Zhang. The Use of Emoji
similar conclusion for the case when security keys are used as
                                                                         in Electronic User Experience Questionnaire: An Ex-
a primary factor. Regarding the timing of security key-based
                                                                         ploratory Case Study. In Hawaii International Confer-
logins, Reese et al. [23] found that login times decrease the
                                                                         ence on System Sciences, HICSS ’18, Waikoloa Village,
longer and the more often security keys are used. Some partic-
                                                                         Hawaii, USA, January 2018. ACM.
ipants also mentioned the fast authentication time, yet some
abandoned the security keys in favor of a password manager           [3] Anti-Phishing Working Group.         Phishing At-
because it allows an even more efficient authentication.                 tack Trends Report – 2Q 2018, October 2018.
                                                                         https://docs.apwg.org/reports/apwg_trends_
                                                                         report_q2_2018.pdf, as of April 30, 2020.
7   Conclusion                                                       [4] Dirk Balfanz, James C. Jones, Akshay Kumar, Huakai
                                                                         Liao, Jeff Hodges, Emil Lundberg, Czeskis Alexei, Rolf
We conducted a qualitative study on the usability of FIDO2,              Lindemann, and Michael Jones. Web Authentication:
using USB-based hardware tokens in the form of security keys             An API for accessing Public Key Credentials Level 1.
in the context of a small company. The core components of                Recommendation REC-webauthn-1-20190304, World
FIDO2 – WebAuthn and CTAP – offer promising alternatives                 Wide Web Consortium, March 2019.
to the dominant username-password scheme used for web au-
thentication. FIDO2 security keys present a phishing-resistant       [5] Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot,
form of hardware tokens suited as the primary authentication             and Frank Stajano. The Quest to Replace Passwords: A
factor for web applications.                                             Framework for Comparative Evaluation of Web Authen-
   In contrast to previous work on authentication via security           tication Schemes. In IEEE Symposium on Security and
keys, we focused on using the key as a primary authentication            Privacy, SP ’12, pages 553–567, San Jose, California,
factor instead of having it as an additional factor in a 2FA             USA, May 2012. IEEE.
setting. Although most participants considered the security          [6] Christiaan Brand, Alexei Czeskis, Jakob Ehrensvärd,
key-based login as usable, several of them stopped using the             Michael B. Jones, Akshay Kumar, Rolf Lindemann,
key as it was slower than using the password manager built               Adam Powers, and Johan Verrept. Client to Authentica-
in their browsers. Furthermore, the security benefits were               tor Protocol (CTAP). Proposed Standard fido-v2.0-ps-
largely intangible or perceived as unnecessary by the partici-           20190130, FIDO Alliance, January 2019.
pants. Another issue was the missing support of some browser
and operating systems at the time of the study. All these adop-      [7] Stéphane Ciolino, Simon Parkin, and Paul Dunphy. Of
tion barriers should be minimized before introducing FIDO2               Two Minds about Two-Factor: Understanding Everyday
(with security keys) to replace username and password-based              FIDO U2F Usability through Device Comparison and
authentication in a company.                                             Experience Sampling. In Symposium on Usable Privacy
and Security, SOUPS ’19, pages 339–356, Santa Clara,            In Financial Cryptography and Data Security, FC ’16,
     California, USA, August 2019. USENIX.                           pages 422–440, Accra Beach, Barbados, February 2016.
                                                                     Springer.
 [8] Jessica Colnago, Summer Devlin, Maggie Oates, Chelse
     Swoopes, Lujo Bauer, Lorrie Cranor, and Nicolas            [17] Sanam Ghorbani Lyastani, Michael Schilling, Michaela
     Christin. “It’s Not Actually That Horrible”: Exploring          Neumayr, Michael Backes, and Sven Bugiel. Is FIDO2
     Adoption of Two-Factor Authentication at a University.          the Kingslayer of User Authentication? A Comparative
     In ACM Conference on Human Factors in Computing                 Usability Study of FIDO2 Passwordless Authentication.
     Systems, CHI ’18, pages 456:1–456:11, Montreal, Que-            In IEEE Symposium on Security and Privacy, SP ’20,
     bec, Canada, April 2018. ACM.                                   San Francisco, California, USA, May 2020. IEEE.
 [9] Sanchari Das, Andrew Dingman, and L. Jean Camp.            [18] Grzergor Milka. Anatomy of Account Takeover. In
     Why Johnny Doesn’t Use Two Factor A Two-Phase                   USENIX Enigma Conference, Enigma ’18, Santa Clara,
     Usability Study of the FIDO U2F Security Key. In Fi-            California, USA, January 2018. USENIX.
     nancial Cryptography and Data Security, FC ’18, pages
     160–179, Santa Barbara Beach, Curação, February 2018.      [19] Hannah Jean Miller, Jacob Thebault-Spieker, Shuo
     Springer.                                                       Chang, Isaac Johnson, Loren Terveen, and Brent Hecht.
                                                                     “Blissfully Happy” or “Ready to Fight”: Varying Inter-
[10] Jessica T. DeCuir-Gunby, Patricia L. Marshall, and Alli-        pretations of Emoji. In AAAI Conference on Web and
     son W. McCulloch. Developing and Using a Codebook               Social Media, ICWSM ’16, pages 259–268, Cologne,
     for the Analysis of Interview Data: An Example from             Germany, May 2016. AAAI.
     a Professional Development Research Project. Field
     methods, 23(2):136–155, December 2011.                     [20] Adam Moore, Christina M. Steiner, and Owen Conlan.
                                                                     Design and Development of an Empirical Smiley-Based
[11] Geoffrey B. Duggan, Hilary Johnson, and Beate Grawe-            Affective Instrument. In Workshop on Emotions and Per-
     meyer. Rational Security: Modelling Everyday Pass-              sonality in Personalized Services, EMPIRE ’13, pages
     word Use. International Journal of Human-Computer               41–52, Rome, Italy, January 2013. CEUR.
     Studies, 70(6):415–431, June 2012.
                                                                [21] National Commission for the Protection of Hu-
[12] European Parliament and Council of the European                 man Subjects of Biomedical and Behavioral
     Union. Directive 2011/62/EU of the European Par-                Research.    The Belmont Report: Ethical Princi-
     liament and of the Council of 8 June 2011 amending              ples and Guidelines for the Protection of Human
     Directive 2001/83/EC on the Community code relating             Subjects of Research, September 1978.     https:
     to medicinal products for human use, as regards the             //www.hhs.gov/ohrp/regulations-and-policy/
     prevention of the entry into the legal supply chain of          belmont-report/index.html, as of April 30, 2020.
     falsified medicinal products. Official Journal of the
     European Union, 174(1):74–87, July 2011.                   [22] National Cyber Security Centre. Common Words
                                                                     and Phrases Relating to Cyber Security, January
[13] FIDO Alliance. The FIDO (“Fast IDentity Online”) Al-            2018. https://www.ncsc.gov.uk/information/
     liance – Industry Association to Promote Authentication         ncsc-glossary, as of April 30, 2020.
     Standards, February 2013. https://fidoalliance.
     org, as of April 30, 2020.                                 [23] Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan
                                                                     Armknecht, Jacob Cameron, and Kent Seamons. A Us-
[14] Eszter Hargittai and Yuli Patrick Hsieh. Succinct Survey        ability Study of Five Two-Factor Authentication Meth-
     Measures of Web-Use Skills. Social Science Computer             ods. In Symposium on Usable Privacy and Security,
     Review, 30(1):95–107, February 2012.                            SOUPS ’19, pages 357–370, Santa Clara, California,
                                                                     USA, August 2019. USENIX.
[15] Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and
     M. Angela Sasse. “They brought in the horrible key ring    [24] Joshua Reynolds, Trevor Smith, Ken Reese, Luke Dick-
     thing!” Analysing the Usability of Two-Factor Authen-           inson, Scott Ruoti, and Kent Seamons. A Tale of Two
     tication in UK Online Banking. In Workshop on Usable            Studies: The Best and Worst of YubiKey Usability. In
     Security, USEC ’15, San Diego, California, USA, Febru-          IEEE Symposium on Security and Privacy, SP ’18, pages
     ary 2015. ISOC.                                                 872–888, Oakland, California, USA, May 2018. IEEE.
[16] Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius            [25] Frank Stajano. Pico: No More Passwords. In Workshop
     Schilder, and Sampath Srinivas. Security Keys: Practi-          on Security Protocols, SPW ’11, pages 49–81, Cam-
     cal Cryptographic Second Factors for the Modern Web.            bridge, United Kingdom, March 2011. Springer.
You can also read